Enable Use of Strict Mode Checking
An XCCDF Rule
Description
SSHs StrictModes
option checks file and ownership permissions in
the user's home directory .ssh
folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes
enabled. The appropriate
configuration is used if no value is set for StrictModes
.
To explicitly enable StrictModes
in SSH, add or correct the following line in
/etc/ssh/sshd_config
:
StrictModes yes
Rationale
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
- ID
- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Find sshd_config included files
shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Find the include keyword, extract from the line the glob expression representing included files.
# And if it is a relative path prepend '/etc/ssh/'
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|/etc/ssh/&|')